Friday, March 18, 2011

The first thing that a company does when it's compelled to report a significant breach of security is try to mitigate the impact. When Google's Chief Legal Officer David Drummond reported that the company had been the victim of a "sophisticated and highly targeted" attack, he claimed that it only affected two Gmail accounts belonging to Chinese human rights advocates. Take careful note of how Drummond opened his now famous post: "Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis."

Fast forward from January 12, 2010 to March 17, 2011 and the opening sentence from EMC's "Open Letter to RSA Customers" regarding the attack against RSA's SecureID products: "Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day."

The opening sentence is so similar that you'd almost think RSA's lawyers met with Google's lawyers for strategy advice on how to draft their public statement. For the rest of us non-lawyers, the first sentence basically says "This is not our fault".

The balance of EMC's letter asks readers to believe a common conundrum; that the attackers were skillful enough to breach RSA's best security protocols but weren't smart enough to take the crown jewels. Google tried that same tactic a year earlier by referring to its own breach as a highly sophisticated attack which only succeeded in cracking a couple of Chinese dissidents' email accounts. Again, for us non-lawyers, let me break that down for you: "A Mossad hit squad found the Munich terrorists but let them live after giving them a firm talking-to". Sure they did.

I didn't believe Google then and I don't believe RSA now. I do believe, however, that there's a punch line to this joke that we haven't heard yet. And that it's just a matter of time before we do.

Thursday, March 10, 2011

In the last 30 minutes, I've heard two cybersecurity myths that I thought were long dead. To my amazement and great disappointment, they're both quite alive.

Myth #1. The Internet Kill Switch.

I can't believe that this myth is still being reported on. There is no kill switch in S.413 "The Cyber Security and Internet Freedom Act". In fact, it states just the opposite:

"(c) LIMITATION.—Notwithstanding any provision of this Act, an amendment made by this Act, or section 706 of the Communications Act of 1934 (47 U.S.C. 606), neither the President, the Director of the National Center for Cybersecurity and Communications, or any officer or employee of the United States Government shall have the authority to shut down the Internet."

Myth #2: China hijacked the Internet for 17 minutes

This myth is not only still popular, it was recently cited by none other than the Director of National Intelligence James Clapper. Unfortunately there's no evidence to support this claim. The best analysis to date that I've read is by Craig Labovitz of Arbor Networks. Perhaps someone would pass these links along to Director Clapper?

On February 11, 2011, Gerry Cauley, the new President and CEO of NERC testified before the House Armed Services Committee's Subcommittee on Emerging Threats and Capabilities. You can read the transcript here. I liked a lot of what Mr. Cauley had to say until I got to the section entitled "Information Exchange Is Critical" and read that NERC's security policy relies on known risks. Frankly, I'm stunned by the implications of that statement. Imagine what would happen if other organizations tasked with security adopted that posture?

US Secret Service: "Mrs. Obama, we understand that you're upset however the Service cannot be held responsible for protecting the President against threats that we don't already know about."

TSA: "Don't blame us. No one had ever hid a bomb in their underwear before."

Actually, the TSA used to be as clueless as NERC about how to manage security until John Pistole took over in July, 2010. When your entire security posture is built upon the assumption that an adversary will repeat a past attack strategy that he's already used and that you're prepared to detect and defend against, you'll always be blind-sided by a novel attack.

In his testimony, Cauley goes on to stress the importance of increased information exchange with the federal government; that without "actionable intelligence", the companies that compose the Bulk Power Grid will always be "a step behind when it comes to protecting against potential threats and unknown vulnerabilities." On its face, this seems perfectly reasonable however if Cauley is expecting any federal agency to act like a cyber version of NORAD and alert NERC when a "cyber missile" is on its way to attack an energy provider in the Western Interconnect of the Grid, I'd like to have some of whatever he's smoking because that's never going to happen.

NERC has so much that it must do to clean up its own house and redress its members' lengthy history of avoiding spending money on security by inventing ludicrous loopholes like "assumption of risk" and "reasonable business judgment" that Cauley's comments about increased information exchange are premature at best. A better approach might be a public commitment by CEO Cauley that NERC's entire membership will dedicate itself to implementing SANS 20 Critical Security Controls, regardless of the cost. There's no point in discussing how to anticipate future attacks when some Independent System Operators still don't have immutable audit logs or are afraid to apply patches for fear of breaking their antiquated networks. When the time comes that NERC and its membership is actually prepared to benefit from a forward-looking threat intelligence capability, the first thing that they should know is that the definition of security is managing risk from both known and unknown threat entities.

Thursday, March 3, 2011

Last week I spoke at a private dinner attended by about a dozen Fortune 100 CIOs. I had been invited to share my perspective on why corporations continue to be compromised in spite of millions of dollars being spent on enterprise IT security solutions, and offer my recommendations on some alternative protective strategies. I was delighted at how eager the attending executives were to discuss their frustrations and share their experiences in trying to protect vast networks spanning, in some cases, over 100 countries. One of the takeaways for me was the almost visceral anger that some executives felt for "Big InfoSec". Big InfoSec is starting to emulate "Big Pharma"; those giant drug companies who have no interest in curing an illness because the money is in treating symptoms, not in finding a cure. The parallels to large anti-virus companies were obvious to everyone.

But it goes far beyond growing disillusionment with Anti-Virus, IDS, IPS, behavioral analysis and other off-the-shelf solutions. There's a growing lack of trust inside the C-suite in the ability of automated solutions to protect key corporate assets. An even more extreme situation exists in India where there's NO trust in private industry by the government. One Indian national security advisor explained it to me this way: "How do we trust a company whose motive is profit to act in the best interest of our country?" And he has a point. There are very few U.S. multi-national companies who calculate national security interest when weighing their investments in foreign states that are potential adversaries to the U.S. unless such an action would also result in higher profits for the company's shareholders. Likewise, how does a CIO know that the sales engineer for XYZ security company is presenting the best solution for the CIO's company or simply a solution that's best for XYZ's bottom line?

The coming backlash against Information Security vendors is just beginning to brew. It's taking place in private conversations among senior executives at events where Chatham House rules are invoked or after NDAs are in place. I don't believe that it'll emerge from under the surface into a full-blown tsunami until 2012 but by then it'll be too late to do anything but scramble for cover and hope that there's something left of your over-valued InfoSec company to salvage afterwards.

Tuesday, March 1, 2011

Russian President Medvedev is well aware of the influence that Twitter, Facebook, and other social networking websites have played in the revolutionary changes that have been taking place in the Middle East and the Maghreb. He said as much last week when he spoke at a meeting of Russia's Anti-Terrorism Council in Vladikavkaz according to a Feb 24th article in The Moscow Times "Kremlin Sees Peril In Arab Unrest".

Effective today, March 1, 2011, a new Russian law gives police the right to order executives of Internet companies to shut down services which pose a threat to the peace or place the security of the Russian Federation in peril. This follows earlier high profile government efforts to "clean up" the Russian Internet space (known as Runet):

November, 2009: the Russian Ministry of Communications organizes an effort led by Yuri Milner, Chairman of DST-Global to look for illegal content online and report his findings to the Commission in mid-2010.

Feb 8, 2011: The League of Internet Safety is launched with Mail.ru Group CEO Dmitry Grishen on its Board of Trustees. Mail.ru Group is a subsidiary of DST-Global.

These internal efforts are preceded by the Kremlin's recognition that the Russia-Georgia war (2008) signaled the beginning of the virtual reality of conflicts and "the need to wage war in the information field too" (Vladislav Surkov in a closed door address to Russian spin doctors as reported in "Information Warfare Chronicles" - Yevropa Press 2009).

Considering that DST-Global either owns or has significant investment in some of the world's largest Internet services companies (Facebook, Zynga, ICQ, Mail.ru, GroupOn, QQ, vKontatke, etc.), Medvedev's strategy may very well achieve its objective of maintaining order through the diversification of control via a citizen's "League", expanded police powers, and the support of corporate officers from billion dollar Russian companies like DST.